UDP Encapsulation of IPsec ESP Packets
RFC 3948
Document Type RFC - Proposed Standard (January 2005; No errata)
Authors Victor Volpe  , Markus Stenberg  , Brian Swander  , Larry DiBurro  , Ari Huttunen 
Last updated 2015-10-14
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3948 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to (None)
Email authors Email WG IPR 3 References Referenced by Nits 
Network Working Group                                        A. Huttunen
Request for Comments: 3948                          F-Secure Corporation
Category: Standards Track                                     B. Swander
                                                               Microsoft
                                                                V. Volpe
                                                           Cisco Systems
                                                              L. DiBurro
                                                         Nortel Networks
                                                             M. Stenberg
                                                            January 2005

                 UDP Encapsulation of IPsec ESP Packets

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This protocol specification defines methods to encapsulate and
   decapsulate IP Encapsulating Security Payload (ESP) packets inside
   UDP packets for traversing Network Address Translators.  ESP
   encapsulation, as defined in this document, can be used in both IPv4
   and IPv6 scenarios.  Whenever negotiated, encapsulation is used with
   Internet Key Exchange (IKE).

Huttunen, et al.            Standards Track                     [Page 1]
RFC 3948         UDP Encapsulation of IPsec ESP Packets     January 2005

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Packet Formats . . . . . . . . . . . . . . . . . . . . . . . .  3
       2.1.  UDP-Encapsulated ESP Header Format . . . . . . . . . . .  3
       2.2.  IKE Header Format for Port 4500  . . . . . . . . . . . .  4
       2.3.  NAT-Keepalive Packet Format  . . . . . . . . . . . . . .  4
   3.  Encapsulation and Decapsulation Procedures . . . . . . . . . .  5
       3.1.  Auxiliary Procedures . . . . . . . . . . . . . . . . . .  5
             3.1.1.  Tunnel Mode Decapsulation NAT Procedure  . . . .  5
             3.1.2.  Transport Mode Decapsulation NAT Procedure . . .  5
       3.2.  Transport Mode ESP Encapsulation . . . . . . . . . . . .  6
       3.3.  Transport Mode ESP Decapsulation . . . . . . . . . . . .  6
       3.4.  Tunnel Mode ESP Encapsulation  . . . . . . . . . . . . .  7
       3.5.  Tunnel Mode ESP Decapsulation  . . . . . . . . . . . . .  7
   4.  NAT Keepalive Procedure  . . . . . . . . . . . . . . . . . . .  7
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
       5.1.  Tunnel Mode Conflict . . . . . . . . . . . . . . . . . .  8
       5.2.  Transport Mode Conflict  . . . . . . . . . . . . . . . .  9
   6.  IAB Considerations . . . . . . . . . . . . . . . . . . . . . . 10
   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 11
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
       8.1.  Normative References . . . . . . . . . . . . . . . . . . 11
       8.2.  Informative References . . . . . . . . . . . . . . . . . 11
   A.  Clarification of Potential NAT Multiple Client Solutions . . . 12
       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 14
       Full Copyright Statement . . . . . . . . . . . . . . . . . . . 15

1.  Introduction

   This protocol specification defines methods to encapsulate and
   decapsulate ESP packets inside UDP packets for traversing Network
   Address Translators (NATs) (see [RFC3715], section 2.2, case i).  The
   UDP port numbers are the same as those used by IKE traffic, as
   defined in [RFC3947].

   The sharing of the port numbers for both IKE and UDP encapsulated ESP
   traffic was selected because it offers better scaling (only one NAT
   mapping in the NAT; no need to send separate IKE keepalives), easier
   configuration (only one port to be configured in firewalls), and
   easier implementation.

   A client's needs should determine whether transport mode or tunnel
   mode is to be supported (see [RFC3715], Section 3, "Telecommuter
   scenario").  L2TP/IPsec clients MUST support the modes as defined in
   [RFC3193].  IPsec tunnel mode clients MUST support tunnel mode.

Huttunen, et al.            Standards Track                     [Page 2]
RFC 3948         UDP Encapsulation of IPsec ESP Packets     January 2005

   An IKE implementation supporting this protocol specification MUST NOT
   use the ESP SPI field zero for ESP packets.  This ensures that IKE
   packets and ESP packets can be distinguished from each other.

   As defined in this document, UDP encapsulation of ESP packets is
   written in terms of IPv4 headers.  There is no technical reason why
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools